Re: [PR] Cordova-js: Event Listener Hijacking [cordova-js]

Tue, 06 Aug 2024 11:05:49 -0700 


breautek commented on code in PR #276:
URL: https://github.com/apache/cordova-js/pull/276#discussion_r1705922574


##########
src/cordova.js:
##########
@@ -43,6 +43,80 @@ var m_window_removeEventListener = 
window.removeEventListener;
 var documentEventHandlers = {};
 var windowEventHandlers = {};
 
+/**
+ * Mitigation for Event Listener Hijacking
+ */
+(function() {
+    var originalDocumentAddEventListener = document.addEventListener;
+    var originalWindowAddEventListener = window.addEventListener;
+    var documentEventHandlers = {};
+    var windowEventHandlers = {};
+
+    document.addEventListener = function (evt, handler, capture) {
+        var e = evt.toLowerCase();
+        if (typeof documentEventHandlers[e] !== 'undefined') {
+            if (typeof documentEventHandlers[e].subscribe === 'function') {
+                documentEventHandlers[e].subscribe(handler);
+            } else {
+                console.warn('No subscribe function defined for event:', e);
+            }
+        } else {
+            originalDocumentAddEventListener.call(document, evt, handler, 
capture);
+        }
+    };
+
+    window.addEventListener = function (evt, handler, capture) {
+        var e = evt.toLowerCase();
+        if (typeof windowEventHandlers[e] !== 'undefined') {
+            if (typeof windowEventHandlers[e].subscribe === 'function') {
+                windowEventHandlers[e].subscribe(handler);
+            } else {
+                console.warn('No subscribe function defined for event:', e);
+            }
+        } else {
+            originalWindowAddEventListener.call(window, evt, handler, capture);
+        }
+    };
+
+    // Securely define your event handlers
+    documentEventHandlers['click'] = {
+        subscribe: function(handler) {
+            var secureHandler = function(event) {
+                // Perform necessary checks or actions before invoking the 
handler
+                if (event && event.target) {
+                    var allowedElements = ['button', 'a', 'div'];
+                    if 
(allowedElements.includes(event.target.tagName.toLowerCase())) {

Review Comment:
   The ES3/5 equivalent of this would be:
   
   ```suggestion
                       if 
(allowedElements.indexOf(event.target.tagName.toLowerCase()) > -1) {
   ```
   
   But if I understand right this is restricting click events to be just 
`button`, `a`, or `div` tags which is overly restrictive and I don't think we 
can assume that level of strictness from a framework level.
   
   `indexOf` will return -1 if the given value does not appear in the list, 
otherwise it returns the index of the first occurrence found. So by testing `> 
-1` means that the given value was found in the `allowedElements` list.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to